LazyStack

ApiGateway Overview

The AWS Serverless Application Model (SAM) provides two types of ApiGateways.

  • AWS::Serverless::HttpApi - lower latency/cost service with restricted feature set
  • AWS::Serverless::Api - original service with a broad feature set

AWS ApiGateway resources may be configured with various security options. LazyStack provides four predefined ApiGateway configurations:

API Gateway Configuration

Description

HttpApiUnsecure
Resources:
    AWS::Serverless::HttpApi

Anyone can call this API. Probably not what you really want for almost any real application, but it is simple!

HttpApiSecure
Resources:
    AWS::Serverless::HttpApi
    AWS::Cognito::UserPool
    AWS::Cognito::UserPoolClient
    AWS::Cognito::IdentityPool

Uses Cognito to provide user management and OAuth2 security on calls to the API. This is an inexpensive, highly performant solution with “good” security. This API Gateway configuration has some limitations but is a good choice for many application stacks.

ApiUnsecure
Resources:
    AWS::Serverless::Api

Anyone can call this API. Probably not what you really want for almost any real application. It offers access to more AWS resources than the HttpApiUnsecure.

ApiSecure
Resources:
    AWS::Serverless::Api
    AWS::Cognito::UserPool
    AWS::Cognito::UserPoolClient
    AWS::Cognito::IdentityPool
    AWS::Cognito::IdentityPoolRoleAttachment
    AWS::IAM::Role

Highly secure interface requiring individually signed requests against the API. This configuration provides a wider range of access to AWS resources. Unfortunately, this configuration is much more expensive than the HttpApiSecure configuration.

Use the LazyStack DefaultApi directive to select which predefined ApiGateway to use by default. Use the ApiTagMap directive to use multiple ApiGateways.

AWS::Serverless::Api and AWS::Serverless::HttpApi

Here is a quick, less than complete, comparison of the two ApiGateway types:

Feature

AWS::Serverless:Api

AWS::Serverless::HttpApi

IAM_AUTH (signed requests)

Yes - more secure.

No - less secure.

Cognito User Pool Authorizers

Yes

Yes

Cost

High

1/3 of the cost

Performance (primarily latency)

Ok

Great

Supports OpenAPI 3.0

Yes

Yes

Usage Plans

Yes

No

API Keys

Yes

No

Custom Domain Names

Yes

Yes - but no support for TLS 1.0

Caching

Yes

No

Simplified CORS Configuration

No

Yes

Client Certificates

Yes

No

AWS WAF

Yes

No

Resource Policies

Yes

No

Supports Edge Optimization

Yes

No

Supports Private API

Yes

No

Cloudwatch Logs

Yes

Yes

Kinesis Data Firehouse

Yes

No

Execution Logs

Yes

No

Cloudwatch metrics

Yes

No

AWS X-Ray

Yes

No